54af0e1116
- Also load swtpm_libvirt in the selinux subpackage (bsc#1251789)
Marcus Meissner2025-10-31 09:52:06 +00:00
e7ce30474a
Accepting request 1287567 from security
Ana Guerrero2025-06-23 12:50:34 +00:00
cef5ca2f3e
- Update to version 0.10.1: + swtpm: Fix build error on 32bit systems due to inconsistent _FILE_OFFSET_BITS. + swtpm_setup: - Use DISTRO_PROFILES_DIR when listing profiles (fix path issue). - Do not pass a TPM 2 profile to swtpm when reconfiguring. + selinux: - Add rule for swtpm to be able to read password from pipe. - allow to map state file. - add NFS permissions for swtpm_t. - Add rule to allow swtpm_t opening of virt_log_t files. - Drop 1229131-fix-swtpm-selinux-policy-mismatch.patch: fixed upstream. - Add 1027.patch: tests: Retry NVWrite command after 0x922 return code and inc lockout counter.
Marcus Meissner2025-06-21 13:44:02 +00:00
fb3d21655a
Accepting request 1228304 from security
Ana Guerrero2024-12-05 16:05:19 +00:00
3dc793b08c
- Update to 0.10.0: + swtpm: * Requires libtpms v0.10.0 * Display tpmstate-opt-lock as a new capability * Add support for lock option parameter to tpmstate option * nvstore_linear: Add support for file-backend locking * Remove broken logic to check for neither dir nor file backend * Use ptm_cap_n to build PTM_GET_CAPABILITY response * Define a structure to return PTM_GET_CAPABILITY result * Implement --print-info to run TPMLIB_GetInfo with flags * Support --profile fd= to read profile from file descriptor * Support --profile file= to read profile from file * Ignore remove-disabled parameter on non-'custom' profile * Check for good entropy source in chroot environment * Implement a check for HMAC+sha1 for testing future restriction * Implement function to check whether a crypto algorithm is disabled * Print cmdarg-print-profiles as part of capabilities * Check whether SHA1 signature support is disabled in profile * Use TPMLIB_WasManufactured to check whether profile was applied * Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature) * Add support for --print-profiles option * Print profile names as part of capabilities JSON * Display new capability to allow setting a profile * Add support for --profile option to set a profile on TPM 2 + swtpm_setup: * Comment flags for storage primary key and deprecate --create-spk * Implement --print-profiles to display all profile * Add profile entries to swtpm_setup.conf written by swtpm_setup * Add support for --profile-name option * Accept profiles with name starting with 'custom:' * Support default profile from file in swtpm_setup.conf * Support --profile-file-fd to read profile from file descriptor * Support --profile-file to read profile from file * Always log the active profile * Implement --profile-remove-fips-disabled option * Read default profile from swtpm_setup.conf * Print profile names as part of capabilities JSON * Add support for --profile parameter * Get default rsa keysize from setup_setup.conf if not given + swtpm_ioctl: * Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response + selinux: * Change write to append for appending to log * Add rule for logging to svirt_image_t labeled files from swtpm_t + tests: * Update IBMTSS2 test suite to v2.4.0 * Test activation of PCR banks when not all are available * Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile * Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file * Consolidate custom profile test cases and check for StateFormatLevel * Convert test_samples_create_tpmca to run installed * Mention test_tpm2_libtpms_versions_profiles requiring env. variables * allow running ibmtss2 tests against installed version * Derive support for CUSE from SWTPM_EXE help screen * Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test * Extend test case testing across libtpms versions * Add test case for testing profiles across libtpms versions * Test the --profile option of swtpm_setup and swtpm * teach them to run installed * add installed-runner.sh * install tests on the system * lookup system binaries if INSTALLED is set + build-sys: * enable 64-bit file API on 32-bit systems * Add -Wshadow to the CFLAGS * Require that libtpms v0.10 is available for TPMLIB_SetProfile
Marcus Meissner2024-12-04 12:48:57 +00:00
9231456bf8
Accepting request 1202016 from security
Ana Guerrero2024-09-20 15:09:01 +00:00
7468cdf8a6
- Fix swtpm custom module (bsc#1229131) - Add patch: 1229131-fix-swtpm-selinux-policy-mismatch.patch - this can be removed once swtpm upstream sorts out their custom selinux module. see: https://github.com/stefanberger/swtpm/issues/885 there were a couple changes in the selinux-policy libvirt handling which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled virt_log_t instead of var_log_t. this patch allows swtpm_t to open the virt_log_t
Marcus Meissner2024-09-19 14:01:38 +00:00
1bbb90dad8
- Update to version 0.7.0: - swtpm: - Support for linear file storage backend (file://) - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what libtpms supports - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs - Wipe keys from stack and heap - Many other small changes - Make --daemon not racy - swtpm_setup: - Only activate SHA256 PCR bank, not SHA1 bank anymore by default - Support for linear file storage backend (file://) - Implement option --create-config-files to create config files - Use non-deprecated APIs to contruct RSA key (OSSL 3) - Report stderr as returned by external tool (swtpm-localcal) - Replace '+' and ',' characters in VMId's to make work with common name in X509 subject - Add support for --reconfigure flag to change active PCR banks - swtpm_localca: - Created certificates for CAs and TPM that do not expire - swtpm_cert: - Allow passing -1 for days to get a non-expiring certificate - test: - ASAN-related test changes and skipping of tests if ASAN is used - Fix tests using tpm2-abrmd by preventing concurrency - Skip chardev related tests after checking for chardev support - exit with error code if mktemp fails - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test - build-sys: - Introduce --enable-sanitizers to configure
Marcus Meissner2021-11-10 08:50:07 +00:00
f0d81401b9
- Update to version 0.6.1: - swtpm: - Clear keys from stack and heap - swtpm-localca: - Add missing else branch for pkcs11 and PIN - swtpm_setup: - Initialize Gerror and free it - Replace '\\s' in regex with [[:space:]] to fix cygwin - tests: - Kill tpm2-abrmd with SIGKILL rather SIGTERM - build-sys: - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3) - Enable configuring with CFLAGS and passing additional CFLAGS on build
Marcus Meissner2021-09-22 09:35:00 +00:00
3a4505e5ba
Accepting request 912783 from security
Richard Brown
2021-08-19 11:06:39 +00:00
0e250bbded
Accepting request 911320 from home:gmbr3:Active
Marcus Meissner2021-08-16 13:22:06 +00:00
ec4b576af5
- swtpm-rename_deprecated_libtasn1_types.patch: upstream
Marcus Meissner2021-08-09 08:56:23 +00:00
9f05f64ac4
Accepting request 910608 from home:gmbr3:Active
Marcus Meissner2021-08-09 08:47:13 +00:00
Ana Guerrero
Marcus Meissner
Dominique Leuenberger
Fabian Vogt
Richard Brown
Gary Ching-Pang Lin